No matter who's involved, public key encryption never fails to create its own controversy. While the US Congress and the National Security Agency duke it out with folks like Whit Diffie over where to draw the bounds of privacy, two of the leading figures in the encryption movement have been locked in a grudge fight over who has the right to provide public key protection to the masses.

It all comes down to a fight over Phil Zimmermann's program called Pretty Good Privacy, or PGP. Combining Diffie's concepts with patented algorithms that implement those concepts, Zimmermann created a personal computer-based program that renders files and electronic mail almost spy-proof. He then gave it away free. All well and good, except for one minor point: those patented algorithms had already been licensed to RSA Data Security Inc., which has no intention of letting Zimmermann corrode its markets.

In PGP's documentation, Zimmermann called his program "guerrilla freeware." Jim Bidzos, president of RSA and its sublicensee Public Key Partners, has called Zimmermann "an intellectual property thief. He offered to give away something that wasn't his to give." The 39-year-old Bidzos, a burly Greek national, could easily pass for a Hollywood version of an arms dealer - and that's how he's categorized under US law, which classifies cryptographic software as "munitions" and forbids its export.

Since its free release into the Net world in June 1991, PGP has become the bane of law enforcement officials, who say it lets criminals and would-be terrorists hide the evidence of their illegal activities. Recent, stronger versions of PGP have emboldened a new generation of civil libertarians and self-proclaimed cypherpunks, who say that strong cryptography is a fundamental requirement for free speech among law-abiding citizens in the electronic age.

Perhaps so. But, free speech or no, anybody who used early versions of PGP in the United States could be sued - not for trying to protect their privacy, but for patent infringement. The patent for the basic algorithm at the heart of PGP - the RSA public key encryption algorithm - is assigned to MIT, which has licensed it exclusively to RSA Data Security.

Unless you have a license, you can't distribute an invention based on someone else's patent, and Phil Zimmermann, PGP's 40-year-old author, didn't have one. But he gave away the software anyway, by passing it out on floppy disks to other people who, in turn, made it available for download on bulletin board systems around the Net. (For more on how Zimmermann created PGP, see "Crypto Rebels," Wired 1.2, page 54.)

Quick-tempered and unshakable in the belief that RSA Data Security is fighting the holy war to bring cryptography to the world, Bidzos has nevertheless tried to block PGP at every possible opportunity. Bidzos pressured online services like CompuServe and America Online to take copies of PGP off their systems. He went after universities, demanding that they take PGP off their computers and keep it away from their students. But he could not keep the program from spreading: it was already on the Net and impossible to contain.

Early History

Before he released PGP, Zimmermann asked Bidzos for a free license for the patents. Bidzos refused, noting that he had already sold licenses to third parties and didn't want to undercut their business. Zimmermann says that he released PGP because the US Senate's 1991 omnibus crime bill had a measure buried within it that would have directed manufacturers of secure communications equipment to insert "trapdoors" into their products so that messages could be decrypted by the government. Releasing PGP, Zimmermann claims, was a preemptive strike against such an Orwellian future. (Zimmermann has since become the subject of a criminal investigation focusing on PGP's export overseas.)

After PGP's release, Bidzos and Zimmermann came to an agreement - of sorts. Bidzos sent Zimmermann a letter, saying that his company would not sue Zimmermann if Zimmermann stopped distributing PGP in the US. Because the RSA patent is in force only in the US, Bidzos had no way to stop the international distribution of PGP. Zimmermann signed the letter and sent it back. But soon thereafter, PGP cropped up again - this time on several ftp sites in Europe and Australia. Through the Net, those versions leaked back into the States. Bidzos says that Zimmermann broke the agreement. Zimmermann claims he did not.

However, Zimmermann will admit that he assisted an international team in the development of the second release of PGP. The program was released in the
Netherlands.

Simson L. Garfinkel's (simsong@mit.edu) book about PGP will be published in November by O'Reilly & Associates.